Most targeted attacks come from China, even though the majority of malicious emails targeting corporations come from email servers in the U.S., according to a new report released today.
Symantec MessageLabs found that the location of the offending email server is only part of the equation. "When we looked at the IP addresses from which the messages were being sent, it revealed that the U.S. appeared to be responsible for more than one-third of those attacks," says Paul Wood, senior analyst with MessageLabs Intelligence. But on closer inspection of the email headers, MessageLabs found 28.2 percent were from China, 21.1 percent were from Romania, and 13.8 percent were from the U.S.
"These are either from individuals in China or computers in China that are under control of someone else [as bots]," Wood says. "The Chinese are certainly in the same boat as the rest of us in malware and bot [infections]."
Targeted attacks, such as those that recently hit Google, Adobe, Intel, and other U.S. companies, brought to light the danger of such attacks that conduct industrial espionage or steal intellectual property from an organization.
Whether this data reflects any activity related to those attacks, also known as Operation Aurora, is unclear. "We were just looking at malware samples we blocked and identified as malicious. There's not necessarily a connection there at all" with Operation Aurora, Wood says. "That's not something I can say 'yes' or 'no' to."
While 36.6 percent of the targeted emails came from mail servers in the U.S., 17.8 percent were from China and 16.5 from Romania. Wood says the U.S. accounted for such a high percentage due to the high concentration of messages that were from Webmail services hosted in the U.S.
The top five types of targeted people were directors, senior officials, vice presidents, managers, and executive directors, the report found. Also, any person with responsibilities in foreign trade and defense policy in Asian countries or other places was also a target, according to the report.
.DOC and .XLS files were the most common types of attachments to the malicious emails -- each accounting for 15.4 percent of the files -- followed by .ZIP (11.2 percent), .PDF (10.7 percent), and .EXE (6.7 percent). Woods says .EXE attachments typically arouse suspicion as malicious, and 15 percent of those they found with emails were malicious. And even though .DOC files are mostly associated with malicious emails, he says, they are not necessarily the most dangerous -- they usually are safe attachments included with the messages.
The most dangerous type of file is an encrypted form of the relatively obscure .RAR file, a proprietary, compressed file. "If they're not encrypted, they are less likely to be malicious," Wood says. "The encrypted ones were malicious 96.8 percent" of the time, he says.
The MessageLabs Intelligence March 2010 report, available here for download, also found that 77 percent of spam sent by the Rustock botnet was sent via a secure TLS connection this month. Spam sent over TLS made up about 20 percent of all spam in March, the report says.